WannaCry’s Lessons: Patch Windows, Be Real About Risk

When technology investments are fully depreciated and off the books, it may be tempting to relax and enjoy the lack of expense.
Jonathan StoneMay 30, 2017

The recent WannaCry cyber attack is one of the most widespread we’ve ever seen, and one of the most preventable.

In this case, having Windows up to date was enough to thwart the hackers. Updating Windows is not an expensive or difficult thing to do. Thus the fact that organizations around the world—including some very large and well-known ones—failed to do it shows that many CFOs may not be seeing the whole picture when evaluating the cost of keeping technology current versus the downside risk of a cyber attack.

Drive Business Strategy and Growth

Drive Business Strategy and Growth

Learn how NetSuite Financial Management allows you to quickly and easily model what-if scenarios and generate reports.

Jonathan Stone Kelser Corp. WannaCry

Jonathan Stone

One reason for this myopia is that when technology investments are fully depreciated and off the books, it may be tempting to relax and enjoy the lack of expense. However, it’s often a warning sign that there may be security issues to address.

As with real estate, vehicles and many other types of investments, technology requires maintenance. When making IT investments, CFOs need to be sure to factor in projections for the cost over time in addition to the initial outlay. Ignoring the need for maintenance leads to the accrual of “technical debt” — issues that compound and become more troublesome as time goes on.

WannaCry is a perfect example. Microsoft periodically releases “patches” for Windows which fix security issues discovered by hackers. A patch protecting against WannaCry was released in March. The malware affected computers that did not have the patch installed, or computers running very old versions of Windows that are no longer supported, such as Windows XP. (To be sure, Microsoft did release a patch for old versions in this case because the situation was so dire).

Installing patches and updating operating systems can be tedious. There are, however, such tools to automate the process as Windows Group Policy and Windows Server Update Services. It’s also important to ensure that your virus-protection subscriptions are kept up to date. Patches are free, and while subscriptions and upgrades can add up, the consequences of letting systems get out of date can be far greater.

Realistic Risk Assessment

WannaCry a form of ransomware, the most common type of cyber attack today, enables cybercriminals to lock up a company’s data until a ransom is paid. These attacks can be devastating, primarily because of lost productivity. Paying the ransom often doesn’t work (hackers are known to simply ask for more money) and it usually has to be paid in bitcoin, which most companies don’t have on hand. Restoring from backup (assuming you have one) also takes time. Meanwhile, business stops.

It may seem like your company’s unlikely to be a target. But WannaCry was an indiscriminate attack, and hackers are increasingly targeting small and medium-sized businesses, which they suspect may not have robust cybersecurity.

What would it cost your business to shut down unexpectedly for a day or more? What do you use your systems for? What wouldn’t you be able to do if all your files were encrypted?

It’s important to be clear about what’s at stake, both in the cost of downtime, and in how a hack could affect key relationships with customers or governing bodies. What would a data breach do to the bottom line if clients were lost or licenses suspended?

Organizations in industries such as health care and manufacturing can face legal ramifications if they fail to protect data. Each individual case is different, but it’s not science fiction to imagine how a cyber attack would play out in your organization — it’s an exercise in quantifying what you have to protect. What are you willing to do to safeguard your reputation?

A Familiar Framework

A CFO would never dream of operating a company without a variety of insurance policies in place. Practicing basic cybersecurity measures is similar: it’s a smaller, recurring cost to avoid the possibility of a potentially business-ending, one-time cost.

Sometimes it’s hard to see it this way because instead of receiving a payout after a triggering event, you’re implementing a series of safety nets designed to prevent disaster in the first place. Further, no single cybersecurity measure is fully effective on its own. In fact, even multiple security layers aren’t 100% effective (though they can get quite close).

Patching and updating software would be the bare minimum for any organization. While that was enough to stop WannaCry, it typically is not. Most ransomware spreads by enabling hackers to trick employees into giving up access to the network, and hackers are getting increasingly clever at how they do this. Sometimes they imitate partners or other employees.

Cybersecurity training is an excellent way to lower risk. You can view it in the same way you might view other types of training, such as sexual harassment or illegal discrimination in hiring, as a way to avoid potentially costly scenarios.

While insurance has existed for hundreds of years, cyber attacks and methods to prevent them are changing every year. More companies were affected by a cyber attack in 2016 than any previous year. With the overall risk increasing, maintaining a safe environment may thus cause technology costs to rise year over year.

New technologies, such as Cisco Umbrella, which recognizes patterns in DNS (Domain Name System) activity and notifies administrators of anything unusual, offer protection in ways that hadn’t been imagined just a few years ago.

In conclusion, the investment in protecting data is vanishingly small compared to the cost of a malware induced outage that makes it impossible to transact business.

Jonathan Stone is COO and CTO at Kelser Corp., a technology consulting firm in Glastonbury, Conn.